As a business, it’s likely that you will receive a DSAR at some point. Whether it’s from a current or former employee, customer, or someone else whose data you hold, it’s important to deal with them correctly to remain on the right side of the law. This article from our Consultant Compliance Counsel Mandy Hargun discusses what businesses and business owners need to know about DSARs.
What is a DSAR?
A DSAR (Data Subject Access Request) is a request made by an individual (the data subject) for a copy or access of their personal data.
Why do I need to know about DSARs?
As a business it’s essential to handle DSARs efficiently to ensure compliance with data privacy laws such as GDPR.
How to deal with DSARs
As a business, it’s vital to deal with DSARs correctly. Here are some key things you should note. Essentially, responding to a request requires careful attention to detail, and adherence to data protection principles. You may want to seek assistance from a specialist lawyer to ensure that you are dealing with DSARs correctly and in accordance with all relevant legislation.
Recognising a DSAR
Your staff should be able to recognise when a DSAR comes through. This is because these requests can be made to anyone at your organisation via email, phone call, or even through a direct message (DM).
Send the DSAR to the relevant function
The staff member who receives the DSAR must send it to the relevant function within the business to ensure that it’s dealt with in a timely manner.
Log the DSAR and note the timeframe
You must respond in one month, which can be extended for a further two months if the request is complex or more than one request has been made by the individual.
Identify the data subject
Assess whether the request can be limited. You should seek legal advice to check whether any valid exemptions apply.
Collate Data
Identify and gather all personal data related to the data subject mentioned in the request.
Review/Redact Data
There may be personal data of other individuals which must be redacted before you can provide the data that the individual has requested.
Record-keeping and documentation
Keep a detailed record and document the steps taken to respond to the DSAR, along with any decisions made regarding the disclosure of personal data.
What happens if I don’t deal with DSARs correctly?
If you fail to respond to DSARs, or don’t deal with them adequately, you may receive complaints from the individuals making the requests.
The ICO may also take action against an organisation if it fails to comply with data privacy laws. This can take the form of fines as a percentage of your turnover, increasing in severity if your business repeatedly fails to comply with its obligations.
Do I need a lawyer to deal with DSARs?
While there is no requirement to utilise the services of a lawyer when dealing with DSARs, it can be hugely helpful to ensure that you are dealing with everything properly and efficiently.
Assessing whether any exemptions apply or redacting information can be a timely and meticulous task. At Setfords, our specialist data protection lawyers can help by sifting through data for you, drafting a response on your behalf, and providing other advice relating to dealing with DSARs. Contact us below to find out more about how we can assist you.